Bitglass Shows Vulnerabilities in Mobile Device Management (MDM) with an Experiment
The growth of mobile device management (MDM) solutions is a natural evolution in enterprises as mobile technology became part of the ecosystem. In order to properly manage all of the devices that were accessing corporate networks, MDM was created to provide a wide range of services, including security. But the new experiment conducted by Bitglass, a data protection company, reveals MDMs can expose the personal data of users.
Bitglass conducted the experiment over a period of one week by tracking the personal devices of volunteer employees to find out how MDM can be misused, and to determine how much access employers have over the personal data of their employees as well as their user behavior.
The way MDM's are designed is in theory to give organizations secured control of virtually every aspect of the mobile device, including what type of apps are permitted and outbound communications. The goal of this experiment by Bitglass was to highlight how much this control gave companies access personal information that has the potential for being abused.
"The invasion of privacy by MDM is a key reason that there are two billion mobile devices on the planet, but only a few million devices managed by MDM. IT leaders looking to enable BYOD must focus on a data-centric, agent-less approach that respects user privacy," said Nat Kausik, CEO, Bitglass.
The most common MDM configurations in enterprise deployments give administrators access to a wide range of information. During the experiment, Bitglass was able to see the content of employee personal email boxes, social networking accounts, as well as banking information. Any time the employees were accessing a service with a username and password, it was transmitted through the corporate network in plain text, and this included sensitive accounts.
The search history of the employees was also accessible, along with the type of applications they downloaded. The access also extended to third-party applications, including Gmail, Messenger, and iOS apps.
This went a step further as Bitglass was able to force the GPS of the volunteers to stay active in the background without letting them know. The location data revealed where employees went after work, traveled on weekends, shopped and more all while draining the battery of their device.
Employees have to find an MDM solution that protects the network infrastructure of the enterprise, while ensuring the privacy of their employees is always protected. According to the latest BYOD report from Bitglass, 67 percent of employees said they would participate if only their employees couldn't access their personal data and applications.
In short, what the Bitglass research highlights for cyber security professionals is that in your quest to mitigate risks and become trained and certified cyber security experts, using your skills and knowledge is a case where, to coin a phrase made popular by the hit TV show The Big Bang Theory, “with great power comes great responsibility.” Formulating and implementing what is becoming a business necessity in a “mobile-first” world, MDM, does need to take into account mitigating end user concerns about creeping and creepy “big brother” in the workplace, and hence potential employer abuse of private information.
Edited by Peter Bernstein